Hundreds of crypto enthusiasts woke up to empty wallets this month as a massive attack targeting MetaMask users has drained over $107,000 since January 2026. The coordinated theft spans nine major chains including Ethereum, BNB Chain, Base, and Arbitrum. Most victims didn’t even notice at first. That’s by design.
The hackers are playing it smart. No massive withdrawals here — just small amounts under $2,000 per wallet. Death by a thousand cuts. The largest chunk of stolen funds sits on Ethereum ($54,600) with BNB Chain holding another $25,500. The rest? Scattered across other chains like digital breadcrumbs.
Death by a thousand cuts—small thefts under $2,000 per wallet keeping victims oblivious while their crypto silently vanishes.
Behind the scheme is a convincing phishing email. It’s got the MetaMask fox wearing a party hat. Cute, right? Wrong. The message claims users need a “mandatory 2026 system upgrade” — a classic pressure tactic to make people click without thinking. Spoiler alert: MetaMask doesn’t send upgrade notices via email.
This isn’t crypto’s first rodeo with sophisticated scams. Just last December, a tainted Chrome extension for Trust Wallet made off with $7 million after compromising 2,596 wallets. The incident was part of a troubling trend with 26 major exploits reported in December alone. Security experts suspect a connection between the two incidents. Same playbook, different target.
Blockchain sleuth ZachXBT has been tracking the suspicious address collecting these stolen funds. Meanwhile, analyst Vladimir S. points to the fake MetaMask email as the likely Trojan horse, while Anndylian raises eyebrows about potential insider involvement. Nobody has identified the exact technical exploit yet.
The thieves’ strategy resembles a digital parasite — slow, methodical, flying under the radar. No flashy heists, just persistent draining. The Trust Wallet hack from December involved a tainted npm package that compromised the security infrastructure. Victims could have better protected themselves by using cold storage for their long-term cryptocurrency holdings, keeping assets safely offline and away from these online threats. They’re counting on victims being too busy to notice small transactions.
The crypto community is left wondering: what’s the vulnerability? A compromised extension? Malicious code? The mystery deepens while wallets continue emptying. One thing’s certain — that urgent update email isn’t from MetaMask. It’s from someone who wants your crypto.
